Why the frequent kernel updates??

tckosvic · August 14, 2021, 5:09pm

An opensuse version or so ago, kernel updates were a once or twice a year event. Now they are bi-weekly or even weekly. Are these due to new features, security issues, correcting programming mistakes, or what?

Where can one view the changes included in the latest kernel update?
Also, is there a zypper feature to exclude specific updates for a time period or does one just install others one at a time and leave kernel updates in the queue?

I would think that managers of large unattended computer banks would not be happy to see weekly reboots.
I am nervous when I see a kernel update as I am afraid that this kernel update could hose my system requiring a reinstall, especially due to problems with the nvidia graphics, as has happened a few times in the past.

tom kosvic

hcvv · August 14, 2021, 5:27pm

On a Leap system, only security and recommended patches are provided. That is also true for the kernel. Thus, you will probably not get a"new" kernel (one with new features, etc.), but the same kernel with, when needed retrofitted, patches. Look at the version numbers (e.g. with YaST > Software Management and Seaching for kernel-default), probably only the build number after the _ sign there is something starting with lp15.3. That is the build number. What is before it is de real kernel version.
I have 15.2, all the kernel versions available are 5.3.18. After it is -lp152.19.2 until 152.87.1. All new builds required by mostly security issues over the time of existence of 15.2 until now.

I do not know how you patch/update your system, but using YaST > Online Update, you get the patches presented at left. When clicking on them, you get a description below. Right now on 15.2 for the -lp152.87.1 build:

openSUSE-2021-1142 - Security update for the Linux Kernel

The openSUSE Leap 15.2 kernel was updated to receive various security and bugfixes.
The following security bugs were fixed:

CVE-2021-3679: A lack of CPU resource in the Linux kernel tracing module functionality was found in the way user uses trace ring buffer in a specific way. Only privileged local users (with …

and this text goes on for some length.

When you want to postpone such a patch to a moment that better suits you, but nevertheless want to install the other patches, you can Taboo the package (kernel-default) for the time being.

tckosvic · August 14, 2021, 5:44pm

I don’t do updates through yast, only zypper. I will activate yast update to see these changes.

I am still wondering why the frequency has gone up so dramatically.

I am sorry about two post on this subject. I tried to correct mispelling in title but “edit” would not let me so I wrote a new one. I can’t see how to delete one.

tom kosvic

hcvv · August 14, 2021, 5:58pm

I corrected the title for you.

You should not double post. That will make two discussions where people will not know what happens in the other thread.
I will remove the other one.

hcvv · August 14, 2021, 6:00pm

zypper will also be able to show those texts, but I can not produce the correct syntax now (have to read the man page, like you ;))

larryr · August 14, 2021, 6:41pm

Reasons:

hacking has become more frequent - ways to get privileges that you should not have are being fixed as fast as reported.
new chip sets in computers have to be supported - this includes CPU’s and bug fixes for them.
additions checks for attempts to load drivers that are malware. these guy just keep trying and you don’t want them on your machines.
there are a lot more users reporting problems - not only openSUSE but the other flavors, fedora, ubuntu, arch, debian - are all finding things needing corrections - but maybe not for your hardware.

nrickert · August 14, 2021, 6:59pm

They were always more frequent than “once or twice a year.” However, I’ll grant that they seem to be unusually frequent in Leap 15.3.

arvidjaar · August 14, 2021, 8:19pm

Probably because Leap 15.3 kernels come directly from SLE and SUSE has more resources dedicated to SLE kernel maintenance.

kasi042 · August 14, 2021, 9:07pm

There’s a forum section News & Announcements. https://forums.opensuse.org/forumdisplay.php/691-News-amp-Announcements

All kernel patches and other security updates are announced here. See for example:
https://forums.opensuse.org/showthread.php/558329-openSUSE-SU-2021-2687-1-important-Security-update-for-the-Linux-Kernel?p=3057410#post3057410

hcvv · August 14, 2021, 9:19pm

Maybe you should mention that clicking on “More …” at the bottom of such an announcement will give you a much better readable version ;).

BTW, I have an RSS feed on that forum section (as on many others). Thus, if you find these sorts of things important, it is easy to stay informed.

kasi042 · August 14, 2021, 9:23pm

Well, yes. I shall do that next time, now that you made me aware of it. lol! I have to admit I normally don’t check such details thoroughly. They just pop up if one follows the “New Posts” function of the forum.

tckosvic · August 15, 2021, 1:20am

From the supplied refs, I see now that kernel update to kernel-default-5.3.18-59.19.1 (this morning for me), repaired 7 vulnerabilities and did 58 app fixes. Impressive. I was unaware that this info was around. Appreciate learning about it.

One question, where and who does this fixes? This looks to be more than volunteer work? Novell staff?

Also, one minor question is what is openSUSE timezone to which messages are referenced? Germany?

thanks, tom kosvic

deano_ferrari · August 15, 2021, 1:31am

EQT acquired SUSE back in 2018…
https://eqtgroup.com/current-portfolio/suse

SUSE is headquartered in Germany…
https://www.suse.com/company/contact/headquarters/

Atronach · August 16, 2021, 1:42am

First, check what patches are available:

david@atronach-opensuse:~> LANG=c zypper list-patches
Repository 'multimedia-apps' is out-of-date. You can run 'zypper refresh' as root to update it.
Loading repository data...
Reading installed packages...


Repository            | Name                        | Category    | Severity  | Interactive | Status | Summary
----------------------+-----------------------------+-------------+-----------+-------------+--------+---------------------------------------------
repo-backports-update | openSUSE-2021-1133          | recommended | moderate  | ---         | needed | Recommended update for keepassxc
repo-sle-update       | openSUSE-SLE-15.3-2021-2654 | recommended | moderate  | ---         | needed | Recommended update for system-config-printer
repo-sle-update       | openSUSE-SLE-15.3-2021-2687 | security    | important | reboot      | needed | Security update for the Linux Kernel


Found 3 applicable patches:
3 patches needed (1 security patch)

Second, list details of that particular patch:

david@atronach-opensuse:~> LANG=c zypper info --type patch openSUSE-SLE-15.3-2021-2687
Repository 'multimedia-apps' is out-of-date. You can run 'zypper refresh' as root to update it.
Loading repository data...
Reading installed packages...




Information for patch openSUSE-SLE-15.3-2021-2687:
--------------------------------------------------
Repository  : repo-sle-update
Name        : openSUSE-SLE-15.3-2021-2687
Version     : 1
Arch        : noarch
Vendor      : maint-coord@suse.de
Status      : needed
Category    : security
Severity    : important
Created On  : Sat Aug 14 10:16:56 2021
Interactive : reboot
Summary     : Security update for the Linux Kernel
Description : 
    The SUSE Linux Enterprise 15 SP3 kernel was updated to receive various security and bugfixes.




    The following security bugs were fixed:


    - CVE-2021-3659: Fixed a NULL pointer dereference in llsec_key_alloc() in net/mac802154/llsec.c (bsc#1188876).
    - CVE-2021-21781: Fixed a information disclosure vulnerability in the ARM SIGPAGE (bsc#1188445).
    - CVE-2021-22543: Fixed improper handling of VM_IO|VM_PFNMAP vmas in KVM, which could bypass RO checks and can lead to pages
    being freed while still accessible by the VMM and guest. This allowed users with the ability to start and control a VM to
    read/write random pages of memory and can result in local privilege escalation (bsc#1186482).
    - CVE-2021-37576: Fixed an issue on the powerpc platform, where a KVM guest OS user could cause host OS memory corruption via
    rtas_args.nargs (bsc#1188838).
    - CVE-2021-3609: Fixed a potential local privilege escalation in the  CAN BCM networking protocol (bsc#1187215).
    - CVE-2021-3612: Fixed an out-of-bounds memory write flaw in the joystick devices subsystem. This flaw allowed a local user to
    crash the system or possibly escalate their privileges on the system. (bsc#1187585)
    - CVE-2021-35039: Fixed mishandling of signature verification. Without CONFIG_MODULE_SIG, verification that a kernel module is
    signed, for loading via init_module, did not occur for a module.sig_enforce=1 command-line argument (bsc#1188080).
...]

Alternatively, you can list the changelog for already installed packages:

david@atronach-opensuse:~> LANG=c rpm -q --changelog kernel-default
* Thu Jul 15 2021 denis.kirjanov@suse.com
- netfilter: x_tables: fix compat match/target pad out-of-bound
  write (CVE-2021-22555 bsc#1188116).
- commit 0b62bdb


* Wed Jul 14 2021 denis.kirjanov@suse.com
- seq_file: Disallow extremely large seq buffer allocations
  (bsc#1188062, CVE-2021-33909).
- commit fe01024


* Wed Jul 14 2021 denis.kirjanov@suse.com
- blacklist.conf: update blacklist
- commit 36a2250


* Wed Jul 14 2021 denis.kirjanov@suse.com
- usb: dwc3: Fix debugfs creation flow (git-fixes).
- commit dc4de14


* Wed Jul 14 2021 denis.kirjanov@suse.com
- blacklist.conf: update blacklist
- commit 6b0f6b8


* Tue Jul 06 2021 mkubecek@suse.cz
- series.conf: cleanup
- update upstream references and resort:
  patches.suse/scsi-ibmvfc-Avoid-move-login-if-fast-fail-is-enabled.patch
  patches.suse/scsi-ibmvfc-Handle-move-login-failure.patch
  patches.suse/scsi-ibmvfc-Reinit-target-retries.patch
  patches.suse/scsi-lpfc-Add-a-option-to-enable-interlocked-ABTS-be.patch
  patches.suse/scsi-lpfc-Add-ndlp-kref-accounting-for-resume-RPI-pa.patch
  patches.suse/scsi-lpfc-Fix-Node-recovery-when-driver-is-handling-.patch
  patches.suse/scsi-lpfc-Fix-Unexpected-timeout-error-in-direct-att.patch
  patches.suse/scsi-lpfc-Fix-crash-when-lpfc_sli4_hba_setup-fails-t.patch
  patches.suse/scsi-lpfc-Fix-node-handling-for-Fabric-Controller-an.patch
  patches.suse/scsi-lpfc-Fix-non-optimized-ERSP-handling.patch
  patches.suse/scsi-lpfc-Fix-unreleased-RPIs-when-NPIV-ports-are-cr.patch
  patches.suse/scsi-lpfc-Ignore-GID-FT-response-that-may-be-receive.patch
  patches.suse/scsi-lpfc-Reregister-FPIN-types-if-ELS_RDF-is-receiv.patch
  patches.suse/scsi-lpfc-Update-lpfc-version-to-12.8.0.10.patch
  patches.suse/scsi-scsi_dh_alua-Retry-RTPG-on-a-different-path-aft.patch
- commit 9a3a833


* Tue Jul 06 2021 mkubecek@suse.cz
- fix patch metadata
- fix Patch-mainline and move to "almost mainline" section:
  patches.suse/qla2xxx-synchronize-rport-dev_loss_tmo-setting.patch
...]

Atronach · August 16, 2021, 2:06am

You can lock either a package or a patch:

david@atronach-opensuse:~> LANG=c sudo zypper addlock kernel-default
Specified lock has been successfully added.
david@atronach-opensuse:~> LANG=c sudo zypper up kernel-default
Retrieving repository 'multimedia-apps' metadata ..............................................................................[done]
Building repository 'multimedia-apps' cache ...................................................................................[done]
Loading repository data...
Reading installed packages...
Resolving package dependencies...


Problem: conflicting requests
 Solution 1: remove lock to allow installation of kernel-default-5.3.18-59.19.1.x86_64[repo-sle-update]
 Solution 2: do not ask to install a solvable providing kernel-default.x86_64 = 5.3.18-59.19.1


Choose from above solutions by number or cancel [1/2/c/d/?] (c):

And similarly, for a patch:

david@atronach-opensuse:~> LANG=c sudo zypper addlock --type patch openSUSE-SLE-15.3-2021-2687
Specified lock has been successfully added.
david@atronach-opensuse:~> LANG=c sudo zypper update --type patch openSUSE-SLE-15.3-2021-2687
Loading repository data...
Reading installed packages...
Patch 'openSUSE-SLE-15.3-2021-2687-1' is locked. Use 'zypper in --force patch:openSUSE-SLE-15.3-2021-2687' to install it, or unlock it using 'zypper rl patch:openSUSE-SLE-15.3-2021-2687'.
Resolving package dependencies...


The following 12 items are locked and will not be changed by any action:
 Available:
  MozillaFirefox autoyast2-installation grub2-systemd-sleep-plugin intel-vaapi-driver kate libreoffice-gnome
  patch:openSUSE-SLE-15.3-2021-2687 plymouth vlc xf86-video-fbdev xf86-video-vesa yast2-snapper
Nothing to do.

Note that you don’t have to specify the –type option if you want to lock a regular package - it’s selected by default, but if you want to lock a patch you have to add –type patch to the addlock command, otherwise you end up with locking a non-existing package (because patch has a different name) and the patch itself will still be not locked.

hcvv · August 16, 2021, 9:32am

IMHO this is an extensive and t he point answer. I hope the OP is satisfied with it, but I am glad with it. Thanks.

tckosvic · August 16, 2021, 2:48pm

Thanks for the breakdown of available zypper (and rpm) commands for controlling updates